Fix security policy bot not allowed to run pipelines on GitLab.com
Behind the scan_execution_bot_users
feature flag I added a feature that adds bot users to projects and then uses the bot user to trigger scheduled scan execution pipelines.
The bot user is added as Guest
to the project but has some special permissions (added in !119136 (diffs)) to run pipelines.
This works as expected on staging and can be verified using the steps below. However it does not work on GitLab.com.
I was able to find logs for the failed pipeline creations. The logs show that the pipeline has a validation error:
You do not have sufficient permission to run a pipeline on 'test'. Please select a different branch or contact your administrator for assistance.
How to reproduce
- Enable the
scan_execution_bot_users
feature flag. It is default enabled on staging and can be enabled for specific projects on GitLab.com - Prepare the test project. Follow the steps below or clone https://gitlab.com/gitlab-org/govern/security-policies/andys-test-group/scan-execution-policy-test
- Create a new project with a working
.gitlab-ci.yml
file. For example, use the bash template. - Add an empty named
package.json
to the project. This is required for the SAST scan to run. - On the left sidebar select Repository and Branches
- Select New branch
- Enter
test
as name - Select Create branch
- Create a new project with a working
- Prepare the security policy
- On the left sidebar, select Security and Compliance* and Policies.
- Select New policy.
- Select Scan execution policy
- Switch to
.yaml mode
- Replace the content with the example policy yaml below
- Select Configure with a merge request
- Select Merge.
- Go back to your initial project
- There should now be a
bot
member named GitLab Security Policy Bot.
- Wait for the next full hour until the scheduled pipeline is triggered.
- View the pipelines page of your project
- There should be a new pipeline triggered by the GitLab Security Policy Bot
Example policy yaml
type: scan_execution_policy
name: test
description: ''
enabled: true
rules:
- type: schedule
branches:
- test
cadence: 0 * * * *
actions:
- scan: sast
tags: []
Implementation plan
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -2094,7 +2094,7 @@ def max_member_access_for_group(group_id)
end
def terms_accepted?
- return true if project_bot?
+ return true if project_bot? || security_policy_bot?
accepted_term_id.present?
end
Edited by Andy Schoenen